The IRM Emperor (Gartner) Has No Clothes

The Gartner Integrated Risk Management (IRM) Magic Quadrant has been out a few weeks and I have been buried with inquiries from organizations asking my thoughts on it. While I initially was going to post my thoughts in this article right away, I have spent the past few weeks doing a lot of reflection and talking to the majority of the solution providers in the Magic Quadrant and their experiences. In fact, I have interacted with 12 of the 16 solution providers in the Magic Quadrant. With 5 of these solutions providers I have actually advised them throughout varying aspects of the Magic Quadrant process in reviewing their responses, preparing them for interactions with Gartner, and playing the ‘dark side’ analyst to critique their solutions.

The Gartner IRM Magic Quadrant is of great concern in how it represents and analyzes solutions, and the process of the IRM MQ is of even greater concern. Organizations should be very cautious and skeptical of the results. I feel they are very unreliable. Here are my issues . . .

IRM vc GRC. Gartner has to invent new terms to make themselves feel relevant. John Wheeler came out with several blogs stating how GRC has failed and is dead and organizations should look to IRM. First off, technology evolves and changes. GRC today is not the same as GRC 10 years back. Same with other areas of technology such as ERP and CRM, these technology categories have evolved and not remained the same . . . but we still refer to them as ERP and CRM. Gartner is actually 5 years behind. What John Wheeler states as IRM in his blog GRC vs. IRM Solutions – What’s the Difference?is what I talked about in GRC 3.o in my research and blogs back in 2013:

If GRC is dead, where is the difference in the MQ? Let’s get right to the point. Gartner has made a big push in their research, blogs, and speeches that GRC is dead and failed now we have IRM. If this is the case, then why are the Leaders in the Magic Quadrant for IRM the same Leaders that were in the last several Magic Quadrants for GRC by Gartner. What has failed if the exact same solutions that dominate the market are getting the leading accolades from Gartner in their old GRC research h and now their new IRM research? The answer is simple, IRM is a marketing ploy by Gartner and the technologies they say have failed in GRC they now praise as leaders in IRM are the same solutions and must not have failed as Gartner originally stated.

What is with Gartner changing all these terms? It is not just GRC that Gartner is trying to change. They also talk about Digital Risk Management. What is Digital Risk Management? Organizations do not use this term. They talk about information security, or IT security. Gartner has some need to rebrand things to make their analysts feel relevant.

Can Gartner make the hard calls? I must applaud Forrester in their most recent GRC Wave, they had the ‘cojones’ to knock back one of the leaders out of the leaders area. You can compare the Wave and MQ to figure out who I am talking about; it is the solution that I get more complaints on than any other solution in the market by a significant amount.

Gartner IRM use cases are incomplete. Gartner defined in their IRM MQ six IRM use cases: Digital Risk Management, Vendor Risk Management, Business Continuity Management, Audit Management, Corporate Compliance & Oversight, and Enterprise Legal Management. My prominent question – where is Enterprise and Operational Risk Management (ERM, ORM)? There are defined capabilities and needs for enterprise and operational risk management that are not covered and brought out. Most of Gartner’s research has a large IT security bent to it, oops, I mean digital risk management, that permeates everything and fails to see the broad range of enterprise and operational risks. Also, they bring Enterprise Legal Management into the IRM which I see in about 5 to 10% of Enterprise GRC (IRM) RFPs. I am not against this, but they failed to mention Environmental, Health & Safety (EH&S) which is in over 50% of Enterprise GRC (IRM) RFPs. In fact, Gartner has completely discontinued their coverage of EH&S technology.

The Magic Quadrant process has serious issues. What is extremely concerning about the Gartner Magic Quadrant for IRM is the process. Some issues are:

Video demos and not live demos. Gartner did not want to have live demonstrations of the solutions, they wanted organizations to submit video demos. Anything can be mocked up in a video. Forrester, on the other hand, requires live demos and even requires a sandbox to work with the solution themselves. I have advised solution providers in the Forrester GRC Wave and have seen the audit trail of Forrester analysts going through the solution and testing it themselves. Not so with Gartner, they do not want a sandbox or even a live demo . . . just a video. And organizations around the world are relying on the Magic Quadrant? This is down right scary.

Lack of transparency. Further, Gartner does not publish the criteria, scores and weightings of the Magic Quadrant. It is exactly what it says it is . . . MAGIC. Forrester publishes a full spreadsheet with each of the hundreds of criteria measured, the vendor score on each, and the weighting. You might disagree with Forrester’s findings, I do at tines, but Forrester is transparent and Gartner is not.

Client reference checks. Client references are also a concern, while Gartner got on the phone with a few client references they are overly reliant on web surveys for client references. To get real answers you have to talk and interact with a range of client references and ask the hard questions. You also have to talk to the individuals using the solution every day and not just the decision maker.

Inconsistency in Strengths and Cautions. For each solution evaluated Gartner publishes strengths and weaknesses of each, usually 3, but sometimes 2. But these are not consisten